nathanmcrae/create-file-message
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
10 Commits 1 Branch 0 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Nathan Christopher McRae e6c331575a Make target file relative to script file 
Since we expect them to be in the same directory
2025-11-24 12:07:34 -08:00
create-file-message.sh
Add error handling for missing files
2025-11-23 20:58:43 -08:00
readme.md
Simplify readme
2025-11-23 21:11:34 -08:00
verify-script.template
Make target file relative to script file
2025-11-24 12:07:34 -08:00

readme.md

This is a simple utility to create a signed message associated with a target file. Recipients who can check the validity of the message signature will also know that it applies to the specific target file they have a copy of. It is meant as an alternative to signing files directly. See the motivation section below.

Usage

To create the message:

  1. Run this utility on a target file, then input your message when prompted.
    • A shell script associated with the file (named {target-file}.sh) will be created
  2. Sign the shell script.
  3. Distribute the target file, shell script, and signature together.

To verify the message, recipients will:

  1. Verify your signature of the script file
  2. Run the script file, and if the target file matches the one you specified (check by comparing hashes) your message will be output.
    • If the recipient does not want to run the script, they can simply inspect it to find the message and the file's hash which they can verify matches by themselves.

Example script

This is the kind of script that is created:

#!/bin/env sh

MESSAGE="test
"
FILE="npr2.htm"
EXPECTED_HASH="3e1af128cb192b6d8ded7f2d66afc1ebe8bd9619f252573888b4bf385448db89"

if [ "$(sha256sum "$FILE" | awk '{print $1}')" = "$EXPECTED_HASH" ]; then
	printf "File %s validated with message:\\n%s" "$FILE" "$MESSAGE"
	exit 0
else
	echo "File $FILE is not valid"
	exit 1
fi

Motivation

Signing a file typically means "I authored this", but sometimes you want to communicate something else, for example to indicate that you retrieved something on a given date.

However, just signing the file can't really convey that meaning. There are probably plenty of potential formats that could deal with this, but one very simple method is to create a bash file associated with the file you want to attest and have a message + file hash embedded in the script. Then you can sign the script which ties the message to the specific version of the file. Whoever recieves the trio of files would verify the script with the signature, then run the script which would output the message if the target file matches the embedded hash.

TODO: example of making it a function in your profile

TODO: guix package

Description
No description provided
Readme 37 KiB
Languages
Shell 100%